1. Field of the Invention
The invention is in the field of computer architecture and particularly in the area of Automatic Data Processing (ADP) security for both single and multiple processor configurations.
2. Description of the Prior Art
The need for security and/or privacy in ADP systems is well established. Secure multilevel ADP systems must accommodate data of various classifications and need-to-know categories without compromising the security of any of the system's capabilities, data items or interfaces. A breach of security could also be effected by denying access when such access is within security regulations and is essential to system performance.
The security requirement to restrict access on a need-to-know basis in addition to the actual military heirarchy of security classifications stems from the danger of using global knowledge at a given level to provide insight to the outline of plans and activities at the next higher classification level. This stringent requirement on military security makes it virtually impossible to satisfy the multilevel ADP problem by establishing separate machines for each separate category of data/program combination. The multilevel security problem presents basically the same technical requirements as the demand for privacy of information in commercially oriented systems.
A well-known security model has been developed by the MITRE Corporation in which mathematical proofs of "no compromise" can be obtained. The model is actually more of a tradition of the literature originating at and around the MITRE Corporation's System Architecture Group than directly associated with a specific reference. However, reference is made to the following documents:
This model is based on a restricted definition of security, proposed by the Department of Defense, which enables solution within conventional computer architectures. Security is, therefore, defined in the negative sense of the absence of compromise. "Compromise" consists of allowing a subject (i.e., user, program, process, etc.) access to data for which it is not authorized in the sense of the object (data, I/O interface, etc.) being more highly classified than its clearance or for which it has no established need-to-know. An example of compromise is the situation where a program, which is authorized to process and disseminate Secret messages, gains access to a Top Secret message. An example which avoids compromise but still constitutes a breach of security is the situation where a program processes data to effect some authorized function, but sets a condition which precludes execution of another program responsible for effecting another authorized data processing function.
Early attempts in implementing secure computer systems involved completely separate machines for each classification/need-to-know category, but such attempts require large amounts of idle hardware. They are also extremely inflexible when it comes to incorporating additional categories, in that a separate machine must be included for each contemporaneous category.
Solutions to the problem of security and/or privacy of ADP systems have been implemented using the MITRE model of security to determine the access privileges of the application programs. Such implementations provide a requirement for a reference monitor, or "security kernel" as it is typically called, to control resource access. The security kernel is an automated implementation of the security rules. This kernel must be isolated and protected to prevent unauthorized modification or tampering so that its continued integrity can be absolutely guaranteed. This security kernel allocates data and programs to separated processing environments based upon classification and clearance. This security kernel is almost exclusively a software implementation in conventional systems.
Descriptor-based machines of current vintage provide the capability of defining virtual machines within themselves which accommodate mutually exclusive access privileges as required by the model. These machines typically incorporate a three-state processor for kernel, supervisor and application program domains of operation. To facilitate the logical isolation of the three processing domains, memory mapping hardware is used which can be updated only in the kernel mode (to which the security kernel operations are allocated). Every data access to memory is then made with respect to this memory map. Typically, the memory mapping hardware divides the entire computer memory into pages of some fixed or specified variable length block size. Any given program can access only a specified subset of the total pages in the system, thereby restricting the access domain of the program. Hardware descriptor registers are utilized to define memory domains and to specify read and write authorization. Special hardware traps to the kernel mode are activated when memory access violations are attempted. An excellent tutorial article discussing the descriptor-based security approach may be found in Jerome H. Saltzer, et al., "The Protection of Information in Computer Systems", Proc. of IEEE, Vol. 63, No. 9, (Sept., 1975), pp. 1278-1308.
Numerous problems are encountered with these prior art approaches, including the following:
(1) An enlarged memory requirement exists due to fragmentation of the physical memory to allocate the data of the various classifications to fixed size pages. Even where fixed size pages are not required, the contiguity of data with common need-to-know categories presents data duplication requirements in some cases to avoid high overhead.
(2) Mapper set up overhead becomes very large where many registers are provided to give good data resolution. When the number of registers is reduced, more frequent mapper set up is required with commensurable overhead.
(3) The processors are complex because of the mapper requirements and the three state operating mode requirements. This adds to the initial cost of the hardware, and more significantly affects the certification problem of both the hardware and the software.
(4) The security kernel is not completely isolated in the sense of being physically separated from the user domain.
(5) The security kernel is implemented in software, and despite efforts made to keep it small, it is typically very large and difficult to certify.
(6) The application software which is controlled in such approaches is typically broken into large blocks. This is done to keep the program scheduling and mapper set up overhead low which would otherwise increase significantly as the number of program blocks increased. Because of the large program size, there will typically be many data accesses in each program which increases the likelihood of requiring access at more than one classification of data. This implies that a large percentage of processes may need the "trustedness" requirements as explained more fully below.
(7) The request-driven aspect of access authorization implies application program capabilities to assess the structure and status of the system. This provides a suitable environment for the exploitation of trojan horses.
(8) The programs which implement the application processes are written typically with large scope in a high level language. These programs are complied and/or assembled into the object code which actually gets executed by the machine. A detailed certification procedure is required in order to guarantee that the validity of the code which is ultimately implemented corresponds to the authorized access matrix. In this procedure, there are up to four levels of program translation which must be certified. It becomes virtually impossible to obtain the measure of security required for critical applications affecting national defense when this procedure is used.
(9) Denial-of-service is a serious threat to security which is not incorporated into the MITRE model or the DOD definition of security described previously. The central aspect of this problem is to assure that application program subsystems will be activated when appropriate and will not be activated in inappropriate situations. The request basis of conventional software structures makes this a particularly difficult threat to security in conventional computer architectures.
(10) Certification is another problem area which is inadequately treated in the MITRE model and which is also ill-suited for solution in conventional software structures where branching capabilities and request-driven access authorizations are generally allowed.